Having a SPNEGO configuration with your Connections account in
Lotus Notes can make using and administering Connections widgets so much
easier. But right now, setting it up to use is not a simple
proposition. Unfortunately I learned the hard way that there are some
issues that make using this configuration difficult/impossbible
to implement until some of these issues are fixed in the future code.
That is unless you know some tricks to get around those problems.

Let's
start out by going over how you would think to implement the
configuration in Lotus Notes. If you are going to set up SPNEGO in your
Connections account for an individual user you might go to your
preferences and click on the Connections entry the list. Then you would
check the "Enable IBM Connections Features" checkbox. Next you would enter the URL into the "Server URL" field. Then click on the "Advanced" button and choose the "OS Credential"
option. That sounds like it should be pretty simple and someday that
may be all you need to do. But for now let's go over some of the things
that you will need to do to get this working.

The
first thing to take care of is the krb5.ini. This is the Kerberos
configuration file that Lotus Notes is going to need to initialize
SPNEGO in your Windows environment. It will need to be placed in the
< Lotus Notes>/framework/rcp/deploy/extras directory. Below is an example of how this file needs to be configured.

[libdefaults]default_realm = <change to something like IBM.COM/Should be the AD Domain>default_tkt_enctypes = des-cbc-md5 rc4-hmacdefault_tgs_enctypes = des-cbc-md5 rc4-hmac[realms]SERVER.IBM.COM = { (This line should not be changed)kdc = logonserver.ibm.com:88 (change to the value of your logonserver. You can get this by typing echo %logonserver%)admin_server= logonserver.ibm.com:88 (change to the value of your logonserver. You can get this by typing echo %logonserver%)default_domain = <change to something like ibm.com>}[domain_realm].ibm.com = <change to the realm value to be used. ie. IBM.COM>ibm.com = <change to the realm value to be used. ie. IBM.COM>

A couple gotchyas that are relatively minor are that when you set up your Connections preferences you need to specify "https://" address as the server the server URL. And you will want to use the "https://<hostname>/activities/service/authredirect.jsp" for the Authentication URL field. (NOTE: Greenhouse doesn't support SPNEGO. I'm just using this as an example)

After
making these changes you may still find that SPNEGO doesn't work as you
would expect. Well one reason may be that you are an administrator on a
Windows 7 PC. This is a quirk of the UAC in Windows. In order to get
SPNEGO to work you can right-click the Notes icon when you start and
choose "Run as Administrator".

This
should work to get your Activities widget working. But many times
you'll want to do something like use another widget. For example the "Status Updates"
widget is very popular. But if you're using SPNEGO you'll notice that
the thumbnail pictures of users may not be coming down. this is a
known issue that you can address by adding a line to your plugin_customization.ini file. This is located in your <Lotus Notes>/framework/rcp/ directory. This changes the behavior of the plug-in to pull the images via a feed mechanism.

com.ibm.lconn.statusupdates/download.image.enabled = true

PUSHING IT OUT

So
after making all those changes you should now have a working SPNEGO
enabled Connections account on your Lotus Notes client. What you usually
end up wanting to do from this point forward is to push these changes
out to a large group of users. The way to do that is through Policies.
If you go to your Name and Address book go to your Policies folder and
click on the Accounts view. Click on the Add Account button and start
filling out the form. The key fields will be the "Account type" which should be Connections; the "Connections service URL"; and the "Authentication URL" on the Advanced tab. Also on the Advanced tab, you need to choose the Authentication type and set that as OS-CRED.

The
most important trick to pushing this policy out is to place the
krb5.ini in the Account file field. This will place that file in the
rcp/deploy/extras folder. Note: You can only place one file in this
field. So this will be problematic if you need to create a custom icon.

For
the issues associated with the UAC causing authentication failures when
using SPNEGO, there are a couple options. One you can create a VBS
script that will starts the notes program with elevated privileges. Or
you can modify the shortcut. Right-click on the icon and select
properties. You will see a Compatibility tab and on that you can choose
to check the "Run this program as an administrator" option.
Both of these options have the negative side effect of creating a pop-up
that alerts you to the fact the program will need to run with elevated
privileges. If you want to bypass that's pop-up, you can create a
scheduled task that will run with elevated privileges and then start
that task via a shortcut.

Note: You need to be an administrator for these. Regular users will not need to implement these options to get SPNEGO to work.

I was at a customer site recently. And because I'm on the SWAT team, let's say that the situation I dropped in to help was a little tense. And it just so happens that I have a daily build of the Notes Social Edition as my client.

Someone had come into the war room and was demanding some answers on an aspect of what the team was doing. During a period of intense "back and forth" that I was in the room for but not a part of; the mood suddenly changes. Suddenly the conversation becomes easier going and there is a lot more agreement. After he leaves, about half the room remarked "Did you notice he couldn't keep his eyes off Michael's computer!".

Apparently, he saw me moving through the new UI and was enthralled. I'll take the help where I can.

Probably the most talked about piece about the Social Edition is the plugin. It allows more integration of applications into the browser so that you can view things other than mail with your browser.

BTW, below is a screenshot of a beta build I took from Ed Brill's blog. The layout is cleaner and you get a lot more information without feeling cluttered. And they have made some really smart improvements to how to navigate around. I can see why one might be enthralled.

One of the coolest things you can do with the Notes client is plug in functionality that someone else has written. If you are like me then your mail archive has way more documents than your mail database. And going from database to database is a pain.

To help fix this, Bob Balfe wrote a plugin that can search multiple databases for you. All you need to do is drag and drop the widget from the following page:

After that it's just about clicking the databases you want to search and then running a search from the toolbar. The most amazing thing about all this is how few people know that it is available to them.